Local users get to play root?
nodata
lsof at nodata.co.uk
Wed Nov 18 20:29:54 UTC 2009
Am 2009-11-18 21:27, schrieb Seth Vidal:
>
>
>> 2009/11/18 nodata <lsof at nodata.co.uk>:
>>> Am 2009-11-18 20:20, schrieb Richard Hughes:
>>>>
>>>> 2009/11/18 Casey Dahlin<cdahlin at redhat.com>:
>>>>>
>>>>> By the admin's first opportunity to change the settings the box could
>>>>> already be rooted.
>>>>
>>>> I'm not sure how you can root a computer from installing signed
>>>> content by a user that already has physical access to the machine.
>>>
>>> You install software with a known buffer overflow before it is fixed and
>>> exploit it. More software = more chances to exploit. Bingo!
>>
>> If a user logged in from a physical local console wanted to exploit
>> their machine, this would be the hard way to do it.
>
>
> So here is what I've just gotten from talking to Ray Strode and reading
> docs.
>
> if you want to disable this just run:
>
> pklalockdown --lockdown org.freedesktop.packagekit.package-install
>
> that will keep anyone from installing pkgs w/o authenticating as admin.
>
>
> That's the short version.
>
> the long version I'm working on writing up right now.
>
> -sv
Thanks for this. Does this need to be run as root? :)
More information about the fedora-devel-list
mailing list